When we bought Mend (formerly WhiteSource), we did a POC of several competing products. We compared Mend (formerly WhiteSource), Black Duck, and a few other solutions that weren't nearly as good as those two products. Those two are the main competitors in this space. We felt Mend (formerly WhiteSource) was easier to use and we also felt that Black Duck found a few issues that Mend (formerly WhiteSource) wouldn't. Overall, it was much harder to use and we found more false positives in Black Duck. Mend (formerly WhiteSource) is more accurate and it also is easier to use. The status reporting in it is really solid. Particularly, there's some legal guidance here in terms of what licenses we can use and what we can't and Mend (formerly WhiteSource) is really good at finding license types we don't want.

We had other solutions, like SAST scanning and Black Duck, but nothing offered this level of detail. The previous solutions were reactive and required a lot of manual work, whereas Mend proactively identifies vulnerabilities. The code is scanned immediately once it goes into the repository. 

Mend has the ability to control the release using the same data going into production or our test environments. That is what sets it apart from other tools. Other tools are emerging with similar capabilities, but when we picked it, it was one of the only tools that had the features we need. 

We did not previously use any different solution prior to Mend.

We did look at other solutions. There was Veracode that we tried and Tenable. There was Qualys as well. However, we chose Mend, and we have had a license for three years right now.

Before Mend.io, we had a manual process. That means we were tracking all the licensees and copyrights manually. We also tried using an open-source tool to detect vulnerabilities and fix them, but it did not work very well. It was consuming a lot of time on my team.

We use trials of many solutions, such as Snyk and Sonatype.

This solution is the first of its kind for us.

As part of our security certification 27001, we looked at going to ISO 27017, and that had a few more constraints around software security analysis, mainly the secure development life cycle. We recognized that it was high time. That was the first catalyst, and then we went through an inspection of various products on the market, and that's what led us to WhiteSource. The fact that Microsoft is a big investor and speaks highly of them made a difference.

I use multiple solutions, such as Snyk, Black Duck, and Sonatype.

The company used Snyk before I was there. I think they switched for budgeting reasons.

I did not use any other solution previously.

We did not use any other solution.

I have previously used other solutions, such as OWASP Dependency-Check, Snyk open-source, and CheckMark

We did not use another solution prior to this one.

Prior to this solution, we used Black Duck. As of two years ago, when we made the switch, WhiteSource's UI was more modern, the SaaS solution more scalable, and the integration capabilities far superior. The detection accuracy between the two was quite similar. 

For this use case, we did not use another solution prior to this one.

No

We were using editors or Wiki to keep that information, but obviously it was not updated.

We did not use anything before WhiteSource. 

We didn't use anything before, only manually.

This is my first open-source scanning solution.

We were using an in-house solution based on some Maven plugins. The process was not fully-automated. We were looking for a fully-automated solution.